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We claim: 

1. A method for controlling access to a computer system device, being accessed 
through a special device file, with externally stored resources comprising the steps of: 

retrieving the file attributes for the device file used in the system device access 
5 attempt; 

determining whether the resource that is making the access attempt is a special 
device file; 

searching a mapping database for device files that represent the system device that 
is the object of the access attempt and generating a device file entry list of all protected 
10 device files that represent said system device; and 

generating an authorization decision for the access attempt to the system device 
based on the security policy that governs each device file in the device file entry Ust. 

2. The method as described in claim 1 further comprising before said searching step 
15 the step of terminating said access control method when the accessing resource is not a 

special device file. 

3. The method as described in claim 1 further comprising after said searching step 
the step of terminating said access control method when said searching step did not find 

20 any database entries that had device specifications that match the device specifications of 
the device file making the access attempt. 

4. The method as described in claim 1 wherein said searching step comprises the 
steps of: 

25 retrieving an entry from the mapping database; 

comparing the device specification of the device file making the access attempt to 
the device specification of the database entry; and 

comparing the file name of the device file making the access attempt to the 
protected object name of the database entry. 
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5. The method as described in claim 4 further comprising after said file name 
comparison step the steps of: 

generating a device file entry list containing the database entry with the same file 
specification and file name as the device file making the access attempt; and 
5 terminating said searching step. 

6. The method as described in claim 4 further comprising after said file name 
comparison step the steps of placing in a file entry list, a mapping database entry having 
the same file specification as, but different file name from the device file making the 

10 access attempt. 

7. The method as described in claim 6 further comprising the steps of: 
determining whether there are more entries in the database; 

retrieving the next mapping database entry for comparison with said device file 
15 making the access attempt, when more entries are found in the mapping database; and 
returning to said device file comparison step. 

8. The method as described in claim 2 wherein said authorization decision step 
comprises the steps of: 

20 retrieving the current entry in the device file entry list; 

calling the access decision component to obtain an access decision for the access 
attempt to the system device based on the security policy that governs the current entry in 
the device file entry list; 

determining whether decision component granted access; 
25 determining whether more entries are in this file entry list, if decision component 

granted access; and 

updating current entry in said device file entry list and returning to said current 
entry retrieving step. 
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9. The method as described in claim 8 further comprising after said decision 
determination step the step of denying the access attempt to the system device if the 
decision component of a device file entry denies access. 

5 10. The method as described in claim 8 further comprising the step of allov^ing the 
access attempt to the system device if no more entries are in the file entry list. 

11. A method for controlling access to a computing system device being accessed 
through a device file, said access control being through an externally stored resource and 

10 comprising the steps of: 

monitoring the computing system for activities related to creating and accessing 
special device files that represent system devices; 

restricting the creation of special device files based on rules defined in the 
extemally stored resource; and 
15 restricting special device file accesses based on rules defined in the extemally 

stored resource. 

12. A computer program product in a computer readable medium for controlling 
access to a computer system device, being accessed through a special device file, with 

20 extemally stored resources comprising the steps of: 

instructions for retrieving the file attributes for the device file used in the system 
device access attempt; 

instmctions for determining v^hether the resource that is making the access 
attempt is a special device file; 
25 instmctions for searching a mapping database for device files that represent the 

system device that is the object of the access attempt and generating a device file entry 
list of all protected device files that represent said system device; and 

instmctions for generating an authorization decision for the access attempt to the 
system device based on the security policy that governs each device file in the device file 
30 entry list. 
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13. The computer program product as described in claim 12 wherein said instructions 
for searching a mapping database comprise: 

instructions for retrieving an entry from the mapping database; 
instructions for comparing the device specification of the device file making the 
5 access attempt to the device specification of the database entry; and 

instructions for comparing the file name of the device file making the access 
attempt to the protected object name of the database entry. 

14. The computer program product as described in claim 13 further comprising after 
10 said file name comparison instructions: 

instructions for generating a device file entry list containing the database entry 
with the same file specification and file name as the device file making the access 
attempt; and 

instructions for terminating said searching instructions. 

15 

15. The computer program product as described in claim 13 further comprising after 
said file name comparison instructions the instructions for placing in a file entry list, a 
mapping database entry having the same file specification as, but different file name from 
the device file making the access attempt. 

20 

16. The computer program product described in claim 15 further comprising: 
instructions for determining whether there are more entries in the database; 
instructions for retrieving the next mapping database entry for comparison with 

said device file making the access attempt, when more entries are found in the mapping 
25 database; and 

instructions for returning to said device file comparison step. 
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17. The computer program product as described in claim 12 wherein said 
authorization instructions comprise: 

instructions for retrieving the current entry in the file entry list; 
instructions for calling the access decision component to obtain an access decision 
5 for the access attempt to the system device based on the security policy that governs the 
current entry in the device file entry list; 

instructions for determining whether decision component granted access; 
instructions for determining whether more entries are in this file entry list, if 
decision component granted access; and 
10 instructions for updating current sentry in said device file entry list and returning 

to said current entry retrieving step. 

18. The computer program product as described in claim 17 further comprising after 
said decision determination instructions the instructions for denying the access attempt to 

15 the system device if the decision component denies access. 

19. The computer program product as described in claim 17 further comprising 
instructions for allowing the access attempt to the system device if no more entries are in 
the file entry list. 

20 
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20. A computer connectable to a distributed computing system, which includes 
special device files containing information, related to corresponding system devices 
comprising: 

a processor; 
5 a native operating system; 

appUcation programs; 

an externally stored authorization program overlaying said native operating 
system and augmenting the standard security controls of said native operating system; 
a mapping database within said external authorization program containing a 
10 system device to a protected object name entries for each protected file system object; 
and 

a decision component within said authorization program for controlling access to 
special device files representing system devices. 

15 21. The computer as described in claimed 20 further comprising authorization 
program for restricting the creation of special device files representing protected system 
devices. 

22. A method for restricting the creation of special device files that represent 
20 protected system devices comprising the steps of: 

determining whether a special device file can be created with the file name 
contained in the creation attempt; 

if a file an be created with said file name, determining whether there is a protected 
special file containing a device specification equal to the device specification of the 
25 special device that is being created; 

generating an authorization decision for the special file creation attempt based on 
the security policy that governs each device file in the device file entry Ust. 



23. The method as described in claim 22 wherein said searching step comprises the 
30 steps of: 

retrieving an entry from the mapping database; 
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comparing the device specification of the device file attempting to be created to 
the device specification of each database entry. 

24. The method as described in claim 23 further comprising after said file 
5 specification comparison step the steps of: 

generating a file entry list containing the database entry with the same file 
specification as the device file, which is the object of the creation attempt. 

25, The method as described in claim 24 further comprising: 
10 getting the current database entry; and 

determining whether a device file can be created based on the permissions of said 
current database entry. 
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26. The method as described in claim 22 wherein said authorization decision step 
comprises the steps of: 

retrieving the current entry in the file entry list; 

calling the access decision component to obtain an access decision for the access 
5 attempt to the system device based on the security policy that governs the current entry in 
the device file entry list; 

determining whether decision component granted access; 

determining whether more entries are in this file entry list, if decision component 
granted access; and 

10 updating current entry in said device file entry list and returning to said current 

entry retrieving step. 

27. The method as described in claim 26 further comprising after said decision 
determination step, the step of denying the access attempt to the system device if the 

15 decision component of an entry in the device entry denies access, 

28. The method as described in claim 26 further comprising the step of allowing the 
access attempt to the system device if no more entries are in the file entry list. 
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